SAP HANA Security Guide - Amazon S3 · PDF fileReading Sample This sample chapter describes...

Reading SampleThis sample chapter describes the different types of catalog objects avai-lable in SAP HANA. It covers creating, managing, and deploying both na-tive and repository catalog object, and ends with a practical case study.

Jonathan Haun

SAP HANA Security Guide541 Pages, 2017, $79.95 ISBN 978-1-4932-1441-9

www.sap-press.com/4227

First-hand knowledge.

“Catalog Objects”

Contents

Index

The Author

https://www.sap-press.com/sap-hana-security-guide_4227/#utm_source=AWS&utm_medium=readingsample&utm_campaign=Browse%20the%20Book&utm_content=1441

85

3

Chapter 3

Catalog Objects

In this chapter, we’ll explore the different types of catalog objects and

walk through the two major options available for creating them. How

you choose to create catalog objects has a profound effect on the secu-

rity model structure and management processes.

Object privileges play an important role in the development of any SAP HANA secu-

rity model. They define the types of SQL script actions a user can perform on a catalog

object (also sometimes referred to as a database object). SAP HANA hosts multiple

types of catalog objects. In this chapter, we’ll explore the different types of catalog

objects that SAP HANA hosts. We’ll also explain that there are different ways to create

most catalog objects: Catalog objects can be created directly using SQL CREATE state-

ments, in which case they’re called native catalog objects. The user issuing the SQL

statement is the owner of the native catalog object. SAP HANA also supports the cre-

ation of some catalog objects as repository development artifacts, in which case

they’re called repository catalog objects. Repository catalog objects are owned by the

_SYS_REPO system account.

Because the principal of object ownership is a critical concept in all security models,

the acute distinction of ownership—between native and repository catalog objects—

is very important. Therefore, in this chapter we’ll take a detailed look at the different

options for creating catalog objects. The options an organization chooses to use

when create catalog objects is of critical importance to all security administrators.

We’ll define the different types of catalog objects, demonstrate how to create both

native and repository objects, review the process for deploying repository objects,

and conclude with a case study to demonstrate a real-world example.

3.1 What Are SAP HANA Catalog Objects?

Catalog objects consist of various relational database management system (RDBMS)

artifacts, such as tables, views, stored procedures, triggers, sequences, and a few other

3 Catalog Objects

86

items. Items such as tables both store and define the structure of the data. Other

items, such as views, are used to express query logic. The following list describes the

most common catalog objects available in SAP HANA:

� Schema

A schema object is a logical organizational unit that is a parent to all other catalog

objects. When other catalog objects are created, a schema must be specified. From

the perspective of a security model, it’s the most important catalog object.

Whether to secure the entire schema or to secure the individual catalog objects

within the schema is a critical choice to make.

� Tables

Tables define the structure of data and store data within an RDBMS. Their structure

is defined by columns, rows, and data types, and rows of data are logically stored in

this table structure. Because the data contained in tables might be sensitive, it’s

important that organizations limit the types of SQL statements that can be exe-

cuted against tables.

� Triggers

Triggers are catalog objects that contain code that executes a procedure depending

on a variety of events that occur within the RDBMS. They are used for a variety of

purposes, ranging from database management to data integrity. Because their

code can manipulate data and other catalog objects, it’s important for organiza-

tions to restrict where and how they are used.

� Views

Views act as logical tables. However, in SAP HANA they are not used to store data.

Instead, they are defined using SQL query statements. Like tables, they offer col-

umns and data types and can be queried. Within their definitions, their SQL query

statements can perform actions such as combining tables, restricting data, and

aggregating results. From a security standpoint, most catalog views need to be

secured for the same reasons that we secure access to tables.

� Synonyms

Synonyms are used as logical reference points to other catalog objects. They act

aliases to obscure the identity of other catalog objects. Synonyms exclusively use

the granted privileges of the objects they reference.

� Sequences

Sequences are catalog objects used to keep track of an incremented number value

by means of its definition. They can be queried in procedural code to determine

the current or next value within a defined sequence. They often are used to create

87

3.2 Creating and Managing Native Catalog Objects

3

unique identity columns within a table. For example, we can use a sequence to

generate a new value in a primary key column, with the requirement that the

value be unique for the row.

� Procedures

A stored procedure is a catalog object that contains complex developed SQL code.

It can return a dataset, much like a catalog view. However, the code can also per-

form tasks within the RDBMS system. These procedures support both input and

output parameters, which makes them dynamic.

� Indexes

An index is an object used to optimize the retrieval of data from a table. Although

it increases the performance of some queries, it also comes at the cost of increased

storage. Security administrators typically limit privileges to create and drop

indexes because of the impact they have on both performance and storage cost.

� Functions

Functions are custom snippets of SQL code used to perform read-only operations

on data. They can be defined as single-valued input and output or table-valued

input and output. Once created, they can be referenced within SQL SELECT state-

ments and SQL stored procedures. Depending on the purpose of the catalog func-

tion, regulating access to these objects can be important. For example, if a function

is used to apply core business logic within a SQL query, security administrators

likely will need to limit the number of individuals that can alter the function.

Now that we’ve listed the common catalog objects used in an SAP HANA system, let’s

look at the options for creating them. For this discussion, we’ll demonstrate the pro-

cesses necessary to create a schema and the processes necessary to create a table.

We’ll highlight the differences based on instances in which we plan to use SQL state-

ments and instances in which we plan to use repository objects. How you create

objects is important to your security model, so pay close attention to these options

while focusing on how they affect an object’s ownership.


The process used to create standard catalog objects typically involves executing a

SQL statement containing a CREATE statement and the supporting syntax specific to

the objects being created. Once a CREATE statement is successfully executed, a run-

time version of the object will exist in the SAP HANA system. Active objects within

3 Catalog Objects

88

the RDBMS catalog are called runtime objects. However, the design-time script will

remain within the SQL console. The design-time state or design-time objects repre-

sent the script or code used to define an object. With SQL, if you need to save the

design-time script, you’ll need to save to a file system independent from the SAP

HANA system.

Those familiar with SAP HANA Studio will likely be aware that some objects can be

created using the GUI. Although the workflow appears graphical in nature, these GUI

windows are issuing SQL statements to the system based on the options selected

within the GUI. Like using SQL statements, the design-time definition of the objects

isn’t stored within the SAP HANA system. In fact, it’s more difficult to save the script

when using the GUI, because the script needs to be extracted from the GUI execution

status windows. However, SAP HANA Studio allows you to copy the text of the SQL

statement from the status window; if you extract the SQL statement, you can then

save it to a file for safekeeping.

Regardless of the method you use to create a standard catalog object, SQL statements

inevitably will be issued to the SAP HANA system. In this section, we’ll introduce the

basic workflows and SQL syntax needed to create a standard schema and table and

discuss how they influence a security model. When applicable, we’ll demonstrate

how objects can be generated using SAP HANA Studio.

3.2.1 Creating Schemas

Schemas are core relational database objects used to logically store all other catalog

objects. Standard catalog schemas are generated in three ways:

1. When a standard user account is created, the system automatically generates a

schema for that user. The user is the sole owner of that schema, and the account

owner must grant privileges to other users or roles before they can interact with

the user’s schema.

2. Schemas can be created using a SQL CREATE statement. The following SQL state-

ments can be used to create a schema. In the first example, we can specify the

owner of the schema. In the second example, the system assumes that the user

executing the statement will be the owner:

– CREATE SCHEMA "MySchema" OWNED BY USER_NAME

– CREATE SCHEMA "MySchema"

3. The third option for creating a schema is via the SAP HANA Web-Based Develop-

ment Workbench catalog editor. The SAP HANA system offers several web-based

89


3

GUIs to aid in the creation and modification of both catalog and repository-based

objects. Not all objects can be created utilizing a GUI within this interface, but sche-

mas can be. The user account used to log on to the SAP HANA Web-Based Develop-

ment Workbench catalog editor will be the owner of the schema.

To access this web-based GUI, enter the correct URL into a supported web

browser’s address bar using the following template:

http://<sap_hana_host>:80<instance_number>/sap/hana/ide/catalog

Replace <sap_hana_host> with the hostname of the SAP HANA system in your

environment and <instance_number> with the two-digit instance number corre-

sponding to your SAP HANA system.

For secure access, use the following template:

https://<sap_hana_host>:43<instance_number>/sap/hana/ide/catalog

If you have the appropriate privileges to access the SAP HANA Web-Based Devel-

opment Workbench catalog editor, you can log on to the web interface using these

URLs. Once logged in, you can create a catalog schema, assuming you have the nec-

essary system privileges.

To create a catalog schema within this interface, right-click the Catalog node on

the left side of the window. From the context menu, choose New Schema. A win-

dow titled Create new Schema will open. Enter the name of the schema in the text

box labeled New Schema (see Figure 3.1). If you want the exact case of the text

(uppercase/lowercase) to be used in the schema name, uncheck Case-insensitive.

Click OK to complete the workflow and generate the schema.

Figure 3.1 Creating Schema with SAP HANA Web-Based Development Workbench

3 Catalog Objects

90

SAP HANA Web-Based Development Workbench

For more information on accessing and using the SAP HANA Web-Based Develop-

ment Workbench, please download the SAP HANA Developer Guide for the SAP

HANA Web-Based Development Workbench from https://help.sap.com/viewer/

b3d0daf2a98e49ada00bf31b7ca7a42e/2.0.00/en-US.

For a direct link to the PDF version of the guide, use the following URL: https://

help.sap.com/doc/7d957b1b6c1a4791a1212b45e9a797df/2.0.00/en-US/SAP_HANA_Devel-

oper_Guide_for_SAP_HANA_Web_Workbench_en.pdf.

All three options will result in a schema that will be owned by the individual execut-

ing the script or completing the action within the GUI. Because standard catalog sche-

mas are owned by standard user accounts, maintaining access to these accounts is

critical. This is because only the owner of the schema can initially grant privileges on

the schema’s catalog objects to other users and roles. This is an important concept

that needs to be understood by all security administrators.

Depending on your SAP HANA solution, a standard schema and its associated service

account will likely be generated programmatically by other SAP software. For exam-

ple, when we’re installing an SAP NetWeaver-based solution on SAP HANA, the soft-

ware provisioning manager will create a service account user and use its user schema

to store the system tables, views, and other objects used by the SAP NetWeaver appli-

cation. If your organization plans to provide direct access to these SAP HANA objects,

maintaining access to the service account that owns this schema will be critical. At

some point, the security administrator or Basis administrator will likely need to log

on to SAP HANA Studio with the service account to grant privileges to other users or

roles.

As mentioned before, granting privileges to a schema will inherently grant any appli-

cable privileges to tables, views, functions, sequences, column views, and other

objects associated with that schema. Some organizations might choose to grant

schema privileges only to users and roles. Doing so will greatly reduce the mainte-

nance of the security model, because all new objects will inherit the granted privi-

leges from the schema. However, some organizations might find this too broad of a

methodology and choose to secure objects individually.

Let’s now look at how to create individual objects by exploring the options available

when creating tables.

91


3

3.2.2 Creating Catalog Tables

There are two different methods we can use to create standard tables within SAP HANA.

We can execute SQL statements using the CREATE table syntax to produce a catalog

table. Such objects are owned by the user account issuing the statement. We can also

use the GUI within SAP HANA Studio to define a table. Both methods issue SQL state-

ments to the system, and the user account executing the workflow owns the object.

Let’s look at how to use the CREATE SQL statement to generate a table. First, we can

execute SQL statements within the SQL console. Refer to Chapter 1 if you need a

refresher on how to access the SQL console within SAP HANA Studio. To create a col-

umn store table with two columns, you would execute the following SQL statement

within the SQL console:

CREATE COLUMN TABLE "MySchema"."MyTable"("MyColumnA" NVARCHAR(5) PRIMARY KEY, "MyColumnB" DECIMAL(26,6) );

To create a table using another table’s definition as a template, execute the following

SQL statement:

CREATE TABLE "MySchema"."MyCopyTable" like "MySchema"."MyTable" WITH NO DATA;

Creating Tables or Schemas

The complete syntax for creating tables, schemas, and other catalog objects is beyond

the scope of this book. To review the full syntax and all available options, please access

the SAP HANA SQL and System Views Reference Guide found at https://help.sap.com/

hana_platform or use the following direct link to the guide in PDF format: https://

help.sap.com/doc/9b40bf74f8644b898fb07dabdd2a36ad/2.0.00/en-US/SAP_HANA_

SQL_and_System_Views_Reference_en.pdf.

The second option for creating catalog tables relies on a GUI within SAP HANA Studio.

SAP HANA Studio provides an interface containing many of the standard options nec-

essary to create a table. To access this GUI and create a table, use the following steps:

1. Open SAP HANA Studio and connect to the desired system. This workflow will

work in any perspective containing the Systems window.

2. Within the Systems window, expand the system to reveal the Catalog node.

3. Within the Catalog node, expand the tree under the schema in which you want to

create the table.

3 Catalog Objects

92

4. Within the schema node, right-click the Tables folder and choose New Table. A

window will appear like the one shown in Figure 3.2. To properly define the table,

enter a name in the Table Name field and define one or more columns within the

Columns tab. When defining a column, you must provide the SQL Data Type and

Dimension for applicable column types.

Figure 3.2 Create Table GUI in SAP HANA Studio

5. To add additional columns, click + within the Columns tab to add an additional

row. Within each new row, you can define an additional column.

6. Once you’ve defined all the desired properties of the table, execute the object to

activate it within the system. To do so, press (F8) to execute the SQL code gener-

ated by the GUI. A small window will appear at the top containing the status of the

execution and the SQL code that was executed by the system. If you choose to do

so, the SQL statements within this status window can be coped and saved to a local

file.

It’s important to note that this graphical workflow technically issues SQL statements

to the system. Therefore, the table will be owned by the individual executing the

workflow. From a security perspective, the owner of the table or anyone with full con-

trol of the table’s schema will need to grant privileges to other users or roles to allow

them access to the table. The table will also be removed from the system if the exe-

cuting user is removed from the system at any time in the future.

93


3

3.2.3 Creating Other Catalog Objects

All catalog objects can be created using the SQL CREATE statement. The syntax in most

cases follows a pattern like the following:

CREATE <Catalog Object Type> <Catalog Object Name> <Options>

The catalog object type can be an item such as TABLE, VIEW, PROCEDURE, FUNCTION, SCHEMA,

TYPE, or another catalog object. The catalog object name can be any name you choose,

so long as it contains supported characters. The options will vary based on the catalog

object you’re creating.

For example, to create a catalog view, you can execute the following SQL code:

CREATE VIEW "MyView" ASSELECT * FROM "MyTable" WHERE "State" = 'Active';

To create a stored procedure named MyProcedureName that outputs a dataset from a

table, define it using the code in Listing 3.1.

CREATE PROCEDURE MyProcedureName(IN id INT, OUT data CUSTOMER) LANGUAGESQLSCRIPTREADS SQL DATA WITH RESULT VIEW ProcView ASBEGINdata = SELECT * FROM DMART.DIMCUSTOMER WHERE CUSTOMER_ID = :id;END;

Listing 3.1 Code to Define MyProcedureName Example Stored Procedure

These are just a few examples to help demonstrate how catalog objects are created

using SQL scripts. When creating objects using SQL, remember that the user execut-

ing the statement will be the owner of the object.

Creating Catalog Objects

The complete syntax for creating tables, schemas, and other catalog objects is

beyond the scope of this book. To review the full syntax and all available options,

please access the SAP HANA SQL and System Views Reference Guide found at https://

help.sap.com/hana_platform or by using the following direct link to the guide in

PDF format: https://help.sap.com/doc/9b40bf74f8644b898fb07dabdd2a36ad/2.0.00/

en-US/SAP_HANA_SQL_and_System_Views_Reference_en.pdf.

3 Catalog Objects

94

For information pertaining to creating objects using the GUI within SAP HANA Stu-

dio, please access the SAP HANA Administration Guide at https://help.sap.com/

hana_platform. Look for the sections labeled Create a Table in Runtime or Create a

View in Runtime.

3.3 Creating and Managing Repository Catalog Objects

For many RDBMS administrators, the process of issuing CREATE statements is a well-

known methodology used to generate database catalog objects. However, SAP HANA

offers an alternative to this traditional approach. It can offer this alternative because

SAP HANA is also a development environment that allows organizations to define

and store both design-time and runtime versions of objects. Design-time objects are

stored in the SAP HANA repository, whereas runtime objects exist within the SAP

HANA RDBMS catalog.

For example, we can define a development artifact called a repository table within the

development repository found in SAP HANA studio. Once defined and activated, a

catalog table is created in a specified schema. Repository tables function exactly like

tables created with a SQL CREATE statement. However, it’s important to note that a

repository table is owned by the system account _SYS_REPO and not by the devel-

oper that activates it.

_SYS_REPO is the main system account responsible for managing, generating, own-

ing, and activating repository-based objects. This includes repository schemas, tables,

roles, views, and procedures. Leveraging the use of repository objects greatly reduces

maintenance within a security model, because _SYS_REPO is already the owner of

these objects and many objects within the system. There will be no need to log on as

the traditional object owner and grant rights to other users and roles for repository

objects. Most developers have a hard time remembering that they need to grant priv-

ileges to security administrators each time they create a schema or sometimes objects

within a schema. By creating repository objects, developers are decoupled from this

responsibility, because their repository objects are activated as catalog objects owned

by _SYS_REPO. This simplifies the process and reduces the communication that needs

to be established between SAP HANA developers and security administrators

_SYS_REPO is also responsible for managing the activation of SAP HANA information

views. These multidimensional views reference catalog tables and can’t be activated

unless the _SYS_REPO account has been granted SELECT, EXECUTE, and WITH GRANT

95


3

OPTION/Grantable to others for the object. Again, if we choose to create repository

tables or schemas, the _SYS_REPO account will already have the required privileges.

In Chapter 6, we’ll discuss this concept further. For now, note that most of the secu-

rity model simplification is only achieved when we use both repository catalog

objects and repository roles within our environment. Both objects are owned and

executed by the _SYS_REPO account.

As mentioned, the designation of ownership is vital within the security model.

Repository objects are owned by the _SYS_REPO system account. Therefore, we must

pay close attention to the methods developers use when creating catalog objects. To

further your understanding, let’s look at a few examples of the process used to create

both a repository schema and a repository table.

3.3.1 Creating Repository Schemas

To create a repository schema, we must first log on to an SAP HANA system and

switch to the development perspective within SAP HANA Studio. As discussed in

Chapter 1, we then need to access the Repositories tab and ensure that we have a local

repository workspace defined. Once the workspace is defined, expand the package

hierarchy to the desired package, then right-click and choose New � Other.

A window labeled Select a wizard will open. Within the Search dialog, type “schema”.

Choose the Schema object under SAP HANA � Database Development, then click Next,

as shown in Figure 3.3.

Figure 3.3 Searching for Schema Repository Objects

3 Catalog Objects

96

In the next window, labeled New Schema, enter a file name in the File name field (see

Figure 3.4). The file name will become the name of the schema, so choose a name that

matches the desired schema name. From the Templates dropdown, choose Basic; this

will provide the basic syntax necessary to define a repository schema in the next win-

dow. Click Next to continue.

Figure 3.4 Defining Repository Schema Name and Choosing Template

A window containing the template’s example text used to define a repository

schema will now open, as shown in Figure 3.5. Because you chose the basic template,

most of the necessary syntax has already been defined for you. Press (Ctrl)+(F3) to

save and activate the repository schema. The design-time object will be saved in the

SAP HANA repository, and the runtime object will be created in the SAP HANA

RDBMS catalog.

97


3

Figure 3.5 Syntax to Define Repository Schema

The syntax for creating a repository schema is very basic: The text preceded by two

slash marks (//) is a comment only visible to the developer. The two slash marks tell

the SAP HANA code compiler to ignore the information on that line. The core of the

script is the following text:

Schema_name = "MySchema";

The text within the double quotes should match the name of the desired schema and

the name given to the .hdbschema file in the repository.

Once activated, users with the CREATE ANY privilege for the schema will be able to cre-

ate standard catalog objects within the schema using CREATE statements. However, we

recommended that developers use the repository to create these objects. The reposi-

tory schema will be owned by the _SYS_REPO user, with no need for the developer to

be granted CREATE ANY on the schema. Developers only need to have access to activate

objects within the SAP HANA repository; the _SYS_REPO user account creates the

objects on behalf of the developer. Once again, we can simplify the security model,

because developers do not need to be granted CREATE ANY privileges for a schema to

create a catalog object.

Another important security aspect of a repository schema is that the _SYS_REPO

account will own the schema. Thus, _SYS_REPO will have full privileges for all objects

created in the schema, regardless of the method used to create them. Again, we recom-

mend that developers use the repository to create objects. However, if for some reason

they do not, then the _SYS_REPO account will already have the privileges necessary to

establish repository roles that reference objects within the repository schema.

3 Catalog Objects

98

3.3.2 Creating Repository Tables

To create a repository table, first log on to an SAP HANA system and switch to the

development perspective within SAP HANA Studio. As discussed in Chapter 1, you

then access the Repositories tab and ensure that you have a local repository work-

space defined. If the workspace is defined, continue to expand the package hierarchy

to the desired package, then right-click it and choose New � Other.

A window will appear, labeled Select a Wizard. Within the Search dialog, type “data-

base table”. Choose the Database Table object under SAP HANA � Database Develop-

ment, then click Next.

In the next window, labeled New Database Table, enter a file name in the File name

field (see Figure 3.6). The file name will become the name of the table, so define a

name that matches the desired table name. From the Template dropdown, choose

Basic. As before, this selection will provide you with the basic syntax necessary to

define a repository table in the next window. Click Next to continue.

Figure 3.6 Defining Repository Table Name and Choosing Template

99


3

A window will now appear, as shown in Figure 3.7, which contains the template’s

example text used to define a repository table. Because you chose the basic template,

several examples and comments on the syntax are included here. To define a table,

simply adjust the template syntax to match your requirements.

Figure 3.7 Defining Repository Table

If you’ve entered the correct syntax, press (Ctrl)+(F3) to save and activate the repos-

itory table. The design-time object will be saved in the SAP HANA repository, and the

runtime object will be created in the SAP HANA RDBMS catalog. Within the script,

you specify the schema that will house the repository table. You will now be able to

find the table within the SAP HANA catalog or within the schema node when brows-

ing from SAP HANA Studio.

It’s worth mentioning that the design-time object name and catalog object name will

be different. The catalog object name will contain the name you specified for the

repository object and will be prefixed with the package hierarchy name. For example,

if we created the design-time repository table, named MyTable, in a package hierarchy

of myco.app.tables, the name of the table would be myco.app.tables::MyTable. To query

this table using SQL, you would execute the following SQL statement:

SELECT * FROM "MySchema"."myco.app.tables::MyTable"

Notice that the table name is prefixed with the package hierarchy name and two

colons (myco.app.tables::). Because we used lowercase and camel case for the pack-

age name and table name, respectively, we must set the schema and catalog table

name between double quotes in the SQL statement. SAP HANA is case-sensitive by

3 Catalog Objects

100

default. Without the double quotes, the system would look for the object name while

assuming you intended to use uppercase on all objects, and thus would fail to find

the objects, because they were created with lowercase or camel case.

SAP HANA Repository Catalog Objects

For more information on the process used to create and manage repository tables

and other repository-based objects, access the SAP HANA Developer Guide found at

http://help.sap.com/hana_platform.

For a direct link to the PDF version of the guide, use the following URL: https://

help.sap.com/doc/fbb802faa34440b39a5b6e3814c6d3b5/2.0.00/en-US/SAP_HANA_

Developer_Guide_for_SAP_HANA_Studio_en.pdf.

Again, repository tables are owned by the _SYS_REPO system account, which will

greatly simplify the setup of your security model. It will also aid in the promotion of

a security model and its referenced repository objects when we need to move them

into another SAP HANA environment. For example, we can define a security model in

an SAP HANA development environment, within which we can create a delivery unit

containing a design-time repository table, schema, and role. The delivery unit, con-

taining a security model, can be exported to a file and later imported into a produc-

tion environment. This process is only possible because we chose to define catalog

objects as repository objects. In the next section, we’ll take a closer look at how to

deploy repository objects using a delivery unit.

3.4 Deploying Repository Objects

Chapter 14 will provide information about the processes, procedures, and steps nec-

essary to manage a repository-based security model’s lifecycle using SAP HANA

application lifecycle management. In this section, we simply will introduce you to

lifecycle management terms and concepts specific to catalog objects. Specifically,

we’ll define the terms content vendor and delivery unit. We’ll also demonstrate how to

package repository-based content into a delivery unit and export it to a file using SAP

HANA Studio.

With most security models, there will come a point at which we need to move, share, or

migrate to a new SAP HANA environment. Before we can properly do that, we need to

make sure that all the objects that the model references are also available in each envi-

ronment. We refer to these objects as security model dependencies. Security model

101


3

dependencies are typically composed of various catalog objects. The makeup of a prop-

erly designed security model consists of a series of repository roles. When these repos-

itory roles reference repository-based catalog objects, we can move all parts of the

model to another environment via the lifecycle management tools built into SAP

HANA and SAP HANA Studio.

We’ve already introduced the processes necessary for creating repository schemas and

tables. Assuming we develop all other objects as repository-based artifacts, moving

these objects between environments will be possible. However, before we can export

these objects and then import them into another environment, we must ensure that

the source SAP HANA system is set up to support such activities. Two key items must

be configured before we can proceed: First, we need to define the content vendor

within our source SAP HANA system, and second, we must define a delivery unit.

Each SAP HANA instance must be configured with a content vendor before we can con-

duct lifecycle management activities. The content vendor is a value used to uniquely

identify the organization or system that generated a delivery unit or exported con-

tent. The typical format of its value looks similar to that of a domain name used in an

email address, but it can take on other supported formats. For example, the value can

be something like mycompany.com or MyCompanyName. We don’t recommend using spaces

between characters, because some SAP HANA interfaces don’t support them when

specifying the content vendor name.

The simplest way to establish a content vendor within an SAP HANA system is to ask

your SAP HANA administrator to execute an ALTER SYSTEM SQL statement. Our first

example will set the content vendor to 'mycompany.com', as follows:

ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM')SET ('repository', 'content_vendor') = 'mycompany.com'

WITH RECONFIGURE;

The second example will set the content vendor to 'MyCompanyName':

ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM')SET ('repository', 'content_vendor') = 'MyCompanyName'

WITH RECONFIGURE;

For this statement to work in your environment, simply change mycompany.com to a

value appropriate for your organization. Make sure you include the WITH CONFIGURE

statement to activate the change without needing to restart the system. There are a

few other ways to change the content vendor using a GUI; however, we find that

3 Catalog Objects

102

running this SQL statement is the simplest and most direct way to implement the

setting.

Once a content vendor is defined, we can then define a delivery unit. A delivery unit is

a logical object that can be configured with one or more repository packages. As men-

tioned in Chapter 2, a package is a logical organization unit used to store develop-

ment artifacts. The main purpose of a delivery unit is to create bundles of packages

containing repository objects so that we can transport them to another SAP HANA

system.

To create a delivery unit, access SAP HANA Studio and switch to the SAP HANA mod-

eler perspective. In the default layout of this perspective, there will be a Quick View

tab or window on the right side of the interface. Within this area, you’ll see an option

labeled Delivery Units; click it to open the Delivery Units management window.

Figure 3.8 shows both the Quick View window on the right and the Delivery Units

management window on the left.

Figure 3.8 Quick View Window and Delivery Units Management Window in

SAP HANA Studio

103


3

In the Delivery Units management window, click the Create button located to the

right of the Delivery Units section. A window titled New Delivery Unit will open. Enter

a name in the required Name field. All other information is optional, but Figure 3.9

shows an example of the settings to use to initialize the delivery unit. Click OK to cre-

ate the delivery unit.

Figure 3.9 New Delivery Unit Configuration Window

We now need to assign packages to this delivery unit. After clicking OK in the New

Delivery Unit configuration window, you should have been returned to the Delivery

Units management window. To assign packages to our newly created delivery unit,

first select the delivery unit within the Delivery Units section. To the right of the

Assigned Packages section, click the Add button. A new window will appear, titled

Assign Packages (see Figure 3.10).

To assign packages to the delivery unit, select the highest node level that contains all

the appropriate packages, subpackages, and development artifacts. Make sure that

the Select all sub-packages under the selected nodes checkbox is selected to ensure

that all assigned subpackages are included within the delivery unit. Click Finish to

complete the process. In Figure 3.11, the delivery unit named HANA_SECURITY_

MODEL has been assigned the Security, Security.Schemas, and Security.tables pack-

ages. Click Finish to close the Delivery Units management window.

3 Catalog Objects

104

Figure 3.10 Assign Packages Window

Figure 3.11 Packages Assigned to HANA_SECURITY_MODEL Delivery Unit

105


3

Managing Delivery Units and Establishing a Content Vendor Value

For more information and for alternative options available to manage a delivery unit

or for alternative options for setting the content vendor, please refer to the SAP

HANA Application Lifecycle Management Guide located at the following URL: http://

help.sap.com/hana_platform#section5.

To access the guide directly in PDF format, visit http://help.sap.com/hana/SAP_

HANA_Application_Lifecycle_Management_en.pdf.

Now that we’ve defined a delivery unity, we can use SAP HANA Studio to export our

security model to a file. We can use this file as an import source, or we can share the

file with others. To export the delivery unit, open SAP HANA Studio, then select File �

Export from the menu bar.

A window titled Export will appear. Within the search box titled Select and Export

Destination, enter “delivery unit”. This will filter the available selections down to the

desired option. Under the SAP HANA Content node, choose Delivery Unit. Click Next.

Select the SAP HANA system that will be the source of the delivery unit and click

Next. Within the Select Delivery Unit window, use the dropdown menu titled

Delivery Unit to choose the HANA_SECURITY_MODEL delivery unit. In the Export

Location area, choose Export to Client and enter the folder location path and desired

file name. Typically, the default file name is an acceptable name. Figure 3.12 shows

the Select Delivery Unit window. Click Next to export the delivery unit to the speci-

fied file path.

The delivery unit file should now exist under the specified file path. Delivery unit files

use a file extension of TGZ, commonly used on UNIX and Linux systems for files con-

taining a compressed archive. Therefore, the delivery unit file in fact is a compressed

archived containing all the SAP HANA development artifacts associated with the

exported delivery unit. This file can be used as a source and imported into another

SAP HANA system or even the same SAP HANA system. In most instances, these files

provide an excellent backup mechanism for the content we create in the SAP HANA

repository.

3 Catalog Objects

106

Figure 3.12 Delivery Unit Export Options Window

To import a delivery unit file, open SAP HANA Studio and log on to the desired SAP

HANA system. From the menu bar, select File � Import. A window titled Import will

appear. In the Select an Import Source search bar, type “delivery unit”. Select Delivery

Unit below the SAP HANA Content node, and click Next. A window will appear, con-

taining the text Target System below the title Import Through Delivery Unit. In this

window, select the system into which you want to import the delivery unit, and click

Next. As shown in Figure 3.13, a Select File window will appear.

107


3

Figure 3.13 SAP HANA Delivery Unit Import Wizard Options

To import a file saved to your local file system, select the radio button labeled Client

in the Select file area. Choose Browse to locate the file on your file system. In the

Actions area, we typically recommend that both of the options Overwrite inactive

versions and Activate objects are checked. This will both overwrite inactive versions

in the target and active the newly imported content. The default Activation Mode of

Activate and ignore inconsistencies in imported object and in their affected objects

should be selected. The Object import simulation area will provide the expected

import Status for the listed Object name and Package name. Click Finish to complete

the import process. The status of the import process will be listed in the Job Log win-

dow. For more information about the Job Log window, see Chapter 1.

3 Catalog Objects

108

3.5 Case Study

E-Corporation is the world’s largest robotics manufacturer and a large multina-

tional conglomerate. The company has a large SAP ERP implementation and has

recently purchased SAP HANA to facilitate a high-performance sales analytics data

mart that combines data from multiple core SAP Business Suite systems and data

from a few subsidiaries that are using non-SAP applications to manage their sales

operations.

The new E-Corporation analytics project is still in its early phases. Developers are just

starting to analyze and profile data from the various source systems. However, the

director of analytics for E-Corporation is aware that extremely sensitive data will be

hosted in the SAP HANA system. Because the data is sensitive in nature, implement-

ing a sound security model is of the utmost importance. To help the E-Corporation

team implement a sound security model, the company has contracted an SAP HANA

security expert from a trusted consulting partner.

During initial project meetings, the security consultant recommends that E-Corpora-

tion start planning for the security model during the development phase. The secu-

rity consultant knows that the development team needed to create several catalog

tables and a few schemas to house the data from the various sources, and he highly

recommends that the company begin the development process by creating two

repository-based schemas to host the staging and data mart tables. The consultant

also recommends that E-Corporation create repository-based tables to help simplify

the development and management of a security model.

Before activating any repository-based objects, the security consultant recommends

defining a package hierarchy to store the core repository objects that will be used to

define the security model. (Chapter 1 provides the necessary information for creating

packages and a package hierarchy.) Knowing that package privileges are critical to the

security of the security model itself, the consultant recommends defining a top-level

package named Security, followed by a subpackage named Schemas and another

named Roles. Figure 3.14 shows the complete package hierarchy as viewed in the

Systems tab of SAP HANA Studio.

109

3.5 Case Study

3

Figure 3.14 E-Corporation’s Initial Package Hierarchy

E-Corporation decides to create two repository schemas (using the steps outlined in

Section 3.3.1). The first schema will be named StagingMart and the second schema

named SalesMart. The repository schemas will be activated within the SAP HANA

package named Security.Schemas. The syntax for creating each repository schema is

listed in Table 3.1.

Figure 3.15 shows what will be present in the package hierarchy. Under the subpack-

age Schemas will be two objects, both with the .hdbschema file extension. Each object

or file is preceded by the name of the file and then the name of the schema.

Now that the schemas are in place, the developers can create tables to store the data.

The security consultant recommends that the developers use repository-based

tables, for two reasons. First, the developers won’t need the CREATE ANY object privilege

for the two schemas, which simplifies the security model. Second, repository tables

can be promoted easily with the security model to other SAP HANA environments in

order to support sound lifecycle management.

Schema Name Repository Schema Syntax

StagingMart schema_name = "StagingMart";

SalesMart schema_name = "SalesMart";

Table 3.1 Repository Schema Names and Syntax

3 Catalog Objects

110

Figure 3.15 Development Repository Schema Artifacts and Corresponding Script Syntax

Because the tables created by the developers are expected to be secured in such a way

that developers can frequently make changes, the security consultant recommends

that E-Corporation create a new package hierarchy to store development artifacts

that will be used by the development team for the sales analytics project. It’s best to

set up a separate package hierarchy in these instances, because it can be secured inde-

pendently from the top-level security package. The consultant recommends that a

top-level package named e-corp be created, and within it, the subpackage named

sales. Within the sales package, he recommends that a package named tables be cre-

ated. Figure 3.16 shows how the package hierarchy will appear within the System tab

in SAP HANA Studio.

Figure 3.16 E-Corporation’s Package Hierarchy

111

3.5 Case Study

3

E-Corporation creates the STG_CUSTOMERS table (Listing 3.2) and the STG_PRODUCTS table

(Listing 3.3) in the StagingMart schema (following the steps in Section 3.3.2). The

repository tables are created within the e-corp.sales.tables package. The repository

object type will be a database table or an HDBTABLE file.

// To define an HDB table with main SQL type columns, use the following code.// In the following example, a schema should exist.table.schemaName = "StagingMart";table.tableType = COLUMNSTORE;table.columns =[

{name = "CustomerID"; sqlType = BIGINT; comment = "Customer ID"; },{name = "CustomerName"; sqlType = NVARCHAR; length = 255; comment =

"Customer Name";},{name = "CustomerAddressLine1"; sqlType = NVARCHAR; length =

255; comment = "Customer Street Number and Name";},{name = "CustomerCity"; sqlType = NVARCHAR; length = 255; comment =

"Customer City";},{name = "CustomerLatt"; sqlType = DECIMAL; precision = 26; scale =

6; comment = "Customer Location Latitude";},{name = "CustomerLong"; sqlType = DECIMAL; precision = 26; scale =

6; comment = "Customer Location Longitude";}];table.primaryKey.pkcolumns = ["CustomerID"];

Listing 3.2 STG_CUSTOMERS Syntax

table.schemaName = "StagingMart";table.tableType = COLUMNSTORE;table.columns =[

{name = "CustomerID"; sqlType = BIGINT; comment = "Customer ID"; },{name = "CustomerName"; sqlType = NVARCHAR; length = 255;

comment = "Customer Name";},{name = "CustomerAddressLine1"; sqlType = NVARCHAR;

length = 255; comment = "Customer Street Number and Name";},{name = "CustomerCity"; sqlType = NVARCHAR; length = 255;

comment = "Customer City";},{name = "CustomerLatt"; sqlType = DECIMAL; precision = 26;

scale = 6; comment = "Customer Location Latitude";},

3 Catalog Objects

112

{name = "CustomerLong"; sqlType = DECIMAL; precision = 26;scale = 6; comment = "Customer Location Longitude";}];table.primaryKey.pkcolumns = ["CustomerID"];

Listing 3.3 STG_PRODUCTS Syntax

Once the two repository table scripts are activated, two new tables will be visible

within the StagingMart schema. The names of the tables are shown in Figure 3.17, in

the Systems tab, under Catalog � StagingMart � Tables. Notice how the name of the

runtime version of each table includes the repository package hierarchy name and

two colons.

Figure 3.17 Repository Tables Created in StagingMart Schema

SAP HANA requires unique object names for all runtime versions of objects created

within the repository. To achieve this requirement, the package hierarchy name is

automatically included as a prefix for every catalog object created within the reposi-

tory.

E-Corporation now has two design-time and runtime versions of each schema and

table. The foundation for a sound security model has been implemented. Developers

that have been granted privileges for these objects can now begin loading data into

these SAP HANA tables. Security administrators can relax, knowing that their secu-

rity model can be transported and backed up.

113

3.6 Summary

3

3.6 Summary

In this chapter, you learned about catalog objects. How you choose to create catalog

objects is one of the most important factors that effects the type of security model

and security process that will be implemented. If you create standard catalog objects,

then developers and security administrators constantly will need to follow tedious

processes for the model to be maintained. However, if you choose to create reposi-

tory-based catalog objects, then developers mostly can be decoupled from the secu-

rity model maintenance process. In addition, the security model and its dependent

catalog objects can be transported easily to another system or into a backup file.

In the next chapter, we’ll dive deeper into the security model by exploring the pro-

cesses necessary for provisioning users. We’ll also discuss the processes necessary to

assign privileges and roles to a user account.

7

Contents

Preface ..................................................................................................................................................... 19

Introduction .......................................................................................................................................... 27

1 Managing Security with SAP HANA Studio 39

1.1 SAP HANA Studio Overview ............................................................................................ 40

1.1.1 Getting Started with SAP HANA Studio ........................................................ 41

1.1.2 Navigating SAP HANA Studio ........................................................................... 47

1.2 The Administration Console ........................................................................................... 57

1.3 Managing Perspectives in SAP HANA Studio .......................................................... 58

1.3.1 Administration Console Perspective .............................................................. 59

1.3.2 Development Perspective .................................................................................. 60

1.3.3 Modeler Perspective ............................................................................................ 66

1.4 SQL Console ............................................................................................................................ 69

1.5 Security Settings in SAP HANA Studio ....................................................................... 70

1.5.1 User Management ............................................................................................... 70

1.5.2 Role Management ................................................................................................ 71

1.5.3 Security Console .................................................................................................... 71

1.5.4 Development Perspective .................................................................................. 71

1.5.5 SQL Console ............................................................................................................ 71

1.5.6 Configuration Tab ................................................................................................ 72

1.6 Summary ................................................................................................................................. 72

2 Introduction to SAP HANA Privileges 73

2.1 Privileges within SAP HANA ........................................................................................... 74

2.1.1 System Privileges .................................................................................................. 74

2.1.2 Object Privileges ................................................................................................... 75

2.1.3 Analytic Privileges ................................................................................................ 77

2.1.4 Package Privileges ................................................................................................ 78

2.1.5 Application Privileges .......................................................................................... 79

Contents

8

2.2 Privilege Validation and Assignment ......................................................................... 79

2.2.1 Assigning Privileges ............................................................................................. 80

2.2.2 Validating Privileges ........................................................................................... 81

2.3 Summary ................................................................................................................................. 83

3 Catalog Objects 85

3.1 What Are SAP HANA Catalog Objects? ...................................................................... 85

3.2 Creating and Managing Native Catalog Objects .................................................. 87

3.2.1 Creating Schemas ................................................................................................ 88

3.2.2 Creating Catalog Tables ..................................................................................... 91

3.2.3 Creating Other Catalog Objects ...................................................................... 93

3.3 Creating and Managing Repository Catalog Objects .......................................... 94

3.3.1 Creating Repository Schemas .......................................................................... 95

3.3.2 Creating Repository Tables ............................................................................... 98

3.4 Deploying Repository Objects ....................................................................................... 100

3.5 Case Study .............................................................................................................................. 108

3.6 Summary ................................................................................................................................. 113

4 User Accounts 115

4.1 What Are User Accounts? ................................................................................................ 115

4.1.1 Standard User Accounts .................................................................................... 116

4.1.2 Technical User Accounts .................................................................................... 117

4.1.3 Restricted User Accounts ................................................................................... 118

4.2 Creating and Managing User Accounts ..................................................................... 119

4.2.1 Creating and Managing Users with SQL Statements .............................. 120

4.2.2 Creating and Managing Users in SAP HANA Studio ................................. 121

4.2.3 Creating and Managing Users with SAP HANA Web-Based

Development Workbench ................................................................................. 124

4.2.4 User Account System Views ............................................................................. 126

4.2.5 Deleting User Accounts ..................................................................................... 129

9

Contents

4.3 Granting and Revoking Privileges ................................................................................ 133

4.3.1 Granting and Revoking Privileges with SQL ................................................ 133

4.3.2 Granting and Revoking Privileges with SAP HANA Studio ..................... 141

4.3.3 Granting and Revoking Privileges with SAP HANA Web-Based

Development Workbench .................................................................................. 146

4.3.4 Effective Privileges System View ..................................................................... 148

4.4 Managing User Role Assignments ............................................................................... 149

4.4.1 Granting and Revoking Roles with SQL ......................................................... 150

4.4.2 Granting and Revoking Roles with SAP HANA Studio .............................. 152

4.4.3 Granting and Revoking Roles with SAP HANA Web-Based


4.4.4 Effective Roles System View ............................................................................. 154

4.5 Case Study: Provisioning Users with SQL Scripts and Stored

Procedures .............................................................................................................................. 155

4.5.1 Creating a Repository Schema ......................................................................... 156

4.5.2 Creating a Repository Table .............................................................................. 157

4.5.3 Importing a CSV File into a Table .................................................................... 158

4.5.4 Creating Repository Stored Procedures ........................................................ 161

4.5.5 Executing the Repository Stored Procedure ................................................ 165

4.6 Summary ................................................................................................................................. 166

5 Database Roles 167

5.1 What Are Roles? ................................................................................................................... 167

5.2 Creating and Managing Roles ........................................................................................ 171

5.2.1 Creating and Deleting Roles with SQL Statements ................................... 171

5.2.2 Creating and Deleting Roles with SAP HANA Studio ................................ 172

5.2.3 Creating and Deleting Roles with SAP HANA Web-Based


5.3 Granting and Revoking Privileges ................................................................................ 176

5.3.1 Methodologies for Granting Privileges to Roles ........................................ 176

5.3.2 Granting and Revoking Privileges with SQL ................................................ 178

5.3.3 Granting and Revoking Privileges with SAP HANA Studio ..................... 187

Contents

10

5.3.4 Granting and Revoking Privileges with SAP HANA Web-Based


5.4 Managing Nested Roles .................................................................................................. 194

5.4.1 Granting and Revoking Roles with SQL ........................................................ 194

5.4.2 Granting and Revoking Roles with SAP HANA Studio ............................. 195

5.4.3 Granting and Revoking Roles with SAP HANA Web-Based


5.5 Summary ................................................................................................................................. 197

6 Repository Roles 199

6.1 What Are Repository Roles? ........................................................................................... 199

6.1.1 User Account _SYS_REPO and Repository Roles ........................................ 200

6.1.2 Grantor and Privileges ........................................................................................ 202

6.1.3 Grantor and Roles ................................................................................................ 203

6.1.4 Why Use Repository Roles? ............................................................................... 203

6.2 Managing Repository Roles with Design-Time Scripts ...................................... 205

6.2.1 Creating Repository Roles within a Package ............................................... 206

6.2.2 Defining the Role Name Tag ............................................................................ 207

6.2.3 Extending Roles .................................................................................................... 208

6.2.4 Assigning Privileges ............................................................................................ 208

6.2.5 Save and Activate ................................................................................................. 209

6.2.6 Runtime Repository Roles ................................................................................. 210

6.3 Granting and Revoking Privileges in Design-Time Scripts ............................... 211

6.3.1 System Privileges ................................................................................................. 211

6.3.2 Schema Privileges ................................................................................................ 212


6.3.4 Structured Privileges ........................................................................................... 215

6.3.5 Remote Sources .................................................................................................... 216


6.3.7 Application Privileges ......................................................................................... 217

6.3.8 Package Privileges ............................................................................................... 218

6.4 Managing Repository Roles with SAP HANA Web-Based

Development Workbench ............................................................................................... 218

11

Contents

6.4.1 Accessing and Navigating the SAP HANA Web-Based

Development Workbench Editor ..................................................................... 219




6.4.5 Package Privileges ................................................................................................ 227

6.4.6 Application Privileges .......................................................................................... 229

6.5 Granting Repository Roles to Users ............................................................................. 231

6.5.1 Granting and Revoking Repository Roles with Stored Procedures ...... 231

6.5.2 Granting and Revoking Repository Roles with SAP HANA Studio ........ 232

6.5.3 Granting and Revoking Repository Roles with SAP HANA

Web-Based Development Workbench .......................................................... 234

6.6 Case Study: Creating Basic Repository Roles .......................................................... 234

6.6.1 Consumer Repository Role ................................................................................ 235

6.6.2 Power User Repository Role .............................................................................. 236

6.6.3 Developer Repository Role ................................................................................. 236

6.6.4 Security Administrator Repository Role ........................................................ 238

6.7 Summary ................................................................................................................................. 239

7 System Privileges 241

7.1 What Are System Privileges? .......................................................................................... 241

7.2 Default System Privileges ................................................................................................ 242

7.2.1 Developer-Related System Privileges ............................................................ 242

7.2.2 Security Admin-Related System Privileges .................................................. 243

7.2.3 System Admin-Related System Privileges .................................................... 246

7.2.4 Environment Monitoring-Related System Privileges ............................... 252

7.2.5 Environment Performance-Related System Privileges ............................ 252

7.3 Granting System Privileges ............................................................................................. 253

7.3.1 Granting System Privileges with SQL ............................................................. 253

7.3.2 Granting System Privileges with SAP HANA Studio .................................. 254

7.3.3 Granting System Privileges with SAP HANA Web-Based


7.3.4 Granting System Privileges with Repository Roles .................................... 257

Contents

12

7.4 Case Study: Security Administrator System Privileges ...................................... 262

7.4.1 User Management Role ..................................................................................... 262

7.4.2 Role Management Role ...................................................................................... 264

7.4.3 Data and Communication Encryption Role ................................................. 265

7.4.4 System Auditing Role .......................................................................................... 266

7.5 Summary ................................................................................................................................. 267

8 Object Privileges 269

8.1 Overview of Object Privileges ....................................................................................... 269

8.1.1 Catalog Object Privileges ................................................................................... 270

8.1.2 Security Considerations for Catalog Objects .............................................. 275

8.2 Granting Object Privileges with SQL .......................................................................... 279

8.2.1 Securing Schemas with SQL ............................................................................. 280

8.2.2 Securing Individual Catalog Objects with SQL ........................................... 282

8.3 Granting Object Privileges with SAP HANA Studio .............................................. 284

8.4 Granting Object Privileges with Repository Roles ............................................... 286

8.4.1 Script-Based Repository Roles .......................................................................... 287

8.4.2 SAP HANA Web-Based Development Workbench .................................... 289

8.5 Case Study: Updating Repository Roles to Access Information Views ....... 292

8.5.1 Consumer ............................................................................................................... 292

8.5.2 Power User ............................................................................................................. 293

8.5.3 Developer ................................................................................................................ 295

8.6 Summary ................................................................................................................................. 296

9 Package Privileges 297

9.1 The SAP HANA Development Repository ................................................................. 297

9.1.1 Structure of the Development Repository ................................................... 297

9.1.2 Creating Packages and Subpackages ............................................................ 298

9.1.3 Overview of Delivery Units ............................................................................... 300

9.2 Overview of Package Privileges .................................................................................... 301

13

Contents

9.3 Granting Package Privileges .......................................................................................... 303

9.3.1 Granting Package Privileges with SQL ........................................................... 303

9.3.2 Granting Package Privileges with SAP HANA Studio ................................ 304

9.3.3 Granting Package Privileges with SAP HANA Web-Based


9.3.4 Granting Package Privileges within Repository-Based Roles ................. 307

9.4 Case Study: Preventing Content Developers from Elevating

Their Privileges ..................................................................................................................... 311

9.4.1 Assessing the Current Configuration ............................................................ 311

9.4.2 Recommendations ............................................................................................... 312

9.5 Summary ................................................................................................................................. 315

10 Analytic Privileges 317

10.1 Overview of SAP HANA Information Views ............................................................. 317

10.1.1 Attribute Views ..................................................................................................... 318

10.1.2 Analytic Views ....................................................................................................... 318

10.1.3 Calculation Views ................................................................................................. 319

10.2 Overview of Analytic Privileges .................................................................................... 320

10.2.1 XML-Based Analytic Privileges ......................................................................... 320

10.2.2 SQL-Based Analytic Privileges ........................................................................... 323

10.3 _SYS_BI_CP_ALL: A System-Generated Analytic Privilege ............................... 325

10.4 Managing Static Analytic Privileges ........................................................................... 326

10.4.1 Creating Static XML-Based Analytic Privileges ........................................... 326

10.4.2 Creating Static SQL-Based Analytic Privileges ............................................ 331

10.5 Managing Dynamic Analytic Privileges ..................................................................... 334

10.5.1 Dynamic XML-Based Analytic Privileges ....................................................... 334

10.5.2 Dynamic SQL-Based Analytic Privileges ........................................................ 336

10.6 Managing Dynamic Expression-Based SQL Analytic Privileges ...................... 344

10.6.1 Creating a Repository-Based Security Table ................................................ 346

10.6.2 Defining Dynamic Expression-Based SQL Analytic Privileges ............... 348

10.7 Troubleshooting Effective Analytic Privileges and Filter Conditions ........... 351

Contents

14

10.8 Granting Analytic Privileges ........................................................................................... 352

10.8.1 Granting Analytic Privileges with SQL .......................................................... 352

10.8.2 Granting Analytic Privileges with SAP HANA Studio ............................... 353

10.8.3 Granting Analytic Privileges with SAP HANA Web-Based


10.8.4 Granting Analytic Privileges within Repository Roles .............................. 355

10.9 Summary ................................................................................................................................. 359

11 Application Privileges 361

11.1 Application Privileges in SAP HANA ........................................................................... 361

11.2 Creating Application Privileges .................................................................................... 362

11.3 Granting Application Privileges .................................................................................... 364

11.3.1 Granting Application Privileges with SQL .................................................... 364

11.3.2 Granting Application Privileges with SAP HANA Studio ......................... 365

11.3.3 Granting Application Privileges with SAP HANA Web-Based


11.3.4 Granting Application Privileges within Repository Roles ....................... 367

11.4 Privileges on Users .............................................................................................................. 372

11.4.1 Granting Privileges on Users with SAP HANA Studio .............................. 372

11.4.2 Granting Privileges on Users with SQL ......................................................... 373

11.5 Summary ................................................................................................................................. 373

12 Authentication 375

12.1 SAP HANA Internal Authentication Mechanism ................................................... 376

12.1.1 Protecting SAP HANA Passwords with Encryption ................................... 376

12.1.2 Configuring the Internal Authentication Password Policy .................... 377

12.1.3 Managing Password Policy Settings with SQL ........................................... 383

12.1.4 Managing Password Policy Settings in GUIs .............................................. 384

12.2 Supported Third-Party Authentication Providers ................................................. 389

12.2.1 Kerberos Authentication ................................................................................... 390

12.2.2 SAML Authentication .......................................................................................... 393

15

Contents

12.2.3 X509 Authentication ........................................................................................... 396

12.2.4 SAP Logon Ticket ................................................................................................... 397

12.2.5 SAP Assertion Ticket ............................................................................................ 399

12.3 Case Study: Adding SAML Identity User Accounts ................................................ 400

12.4 Summary ................................................................................................................................. 402

13 Certificate Management and Encryption 403

13.1 SSL Certificates ...................................................................................................................... 403

13.1.1 In-Database Certificate Management .......................................................... 404

13.1.2 External SAP HANA PSE File and Certificate Management .................... 408

13.2 Client Encryption Settings ............................................................................................... 412

13.2.1 SAP HANA Studio .................................................................................................. 412

13.2.2 XS Engine Web-Based Applications ................................................................ 414

13.2.3 JDBC and ODBC Drivers ...................................................................................... 416

13.3 Encrypting Data .................................................................................................................... 419

13.3.1 Server-Side Data Encryption ............................................................................. 420

13.3.2 Changing New Root Keys within the SSFS ................................................... 421

13.3.3 Encrypting the Data Volume ............................................................................ 424

13.3.4 Encrypting the Log Volume ............................................................................... 425

13.4 Summary ................................................................................................................................. 426

14 Security Lifecycle Management 427

14.1 Maintaining a Consistent Security Model ................................................................ 427

14.1.1 Best Practices ......................................................................................................... 428

14.1.2 Testing Security Model Changes ..................................................................... 430

14.1.3 Keeping Repository Roles in Sync .................................................................... 432

14.2 Create Delivery Units for Security-Related Packages .......................................... 434

14.2.1 Creating a Delivery Unit with SAP HANA Studio ....................................... 435

14.2.2 Creating a DU with SAP HANA Application Lifecycle

Management ......................................................................................................... 438

Contents

16

14.3 Transport Security Packages to Other SAP HANA Systems .............................. 442

14.3.1 Transport a DU with SAP HANA Application Lifecycle

Management ......................................................................................................... 443

14.3.2 Export a DU to a File ............................................................................................ 448

14.3.3 Import a DU from a File ..................................................................................... 449

14.4 Additional Options in SAP HANA Application Lifecycle Management ....... 452

14.4.1 Change Recording ................................................................................................ 452

14.4.2 Using SAP CTS ....................................................................................................... 453

14.5 Summary ................................................................................................................................. 453

15 Auditing 455

15.1 Why Do We Need Auditing? .......................................................................................... 455

15.2 Configuring Auditing ......................................................................................................... 457

15.2.1 Enable Auditing with SAP HANA Studio ....................................................... 457

15.2.2 Enable Auditing with SAP HANA Web-Based Development

Workbench ............................................................................................................. 461

15.2.3 Enable Auditing with SQL .................................................................................. 463

15.3 Creating Audit Policies ...................................................................................................... 465

15.3.1 Components of the Audit Policy ..................................................................... 466

15.3.2 Managing Policies with SAP HANA Web-Based Development

Workbench ............................................................................................................. 471

15.3.3 Managing Audit Policies with SQL ................................................................. 473

15.3.4 Creating Policies with SAP HANA Studio ..................................................... 476

15.4 Querying Audit Data .......................................................................................................... 477

15.4.1 AUDIT_ACTIONS ................................................................................................... 478

15.4.2 AUDIT_LOG ............................................................................................................ 478

15.4.3 AUDIT_POLICIES ................................................................................................... 478

15.5 Case Study: Defining Audit Policies ............................................................................ 479

15.5.1 Proactive Event Monitoring .............................................................................. 479

15.5.2 Audit Reporting .................................................................................................... 480

15.5.3 Authentication Auditing .................................................................................... 480

15.5.4 Unauthorized Action Auditing ........................................................................ 481

15.5.5 System Change Auditing ................................................................................... 482

15.5.6 Security Management Task Auditing ............................................................ 483

17

Contents

15.5.7 Super User Event Auditing ................................................................................ 485

15.6 Summary ................................................................................................................................. 486

16 Security Tracing and Troubleshooting 487

16.1 Authorization Tracing ........................................................................................................ 487

16.1.1 Enable Tracing with SAP HANA Studio .......................................................... 488

16.1.2 Enable Tracing with SQL ..................................................................................... 491

16.1.3 Viewing the Trace File in SAP HANA Studio ................................................. 493

16.2 Query the System to Review Effective Privileges ................................................. 495

16.2.1 Granted Privileges ................................................................................................ 495

16.2.2 Granted Roles ........................................................................................................ 496

16.2.3 Accessible Views ................................................................................................... 497

16.2.4 Effective Privilege Grantees ............................................................................. 498

16.2.5 Effective Structured Privileges ......................................................................... 499

16.2.6 Effective Privileges ............................................................................................... 501

16.2.7 Effective Role Grantees ...................................................................................... 502

16.2.8 Effective Roles ........................................................................................................ 503

16.3 Case Study: Identifying Deficiencies in Information View Access ................ 504

16.3.1 Troubleshooting the Problem .......................................................................... 504

16.3.2 Reviewing the Results ......................................................................................... 505

16.3.3 Reviewing the Solution ....................................................................................... 506

16.4 Summary ................................................................................................................................. 506

17 Security Recommendations 507

17.1 Password Authentication Settings .............................................................................. 507

17.1.1 Standard User Password Policies .................................................................... 507

17.1.2 Service Accounts ................................................................................................... 510

17.2 Encryption Settings ............................................................................................................. 511

17.3 Identifying Users with Elevated Privileges .............................................................. 511


17.3.2 Root Package Privileges ...................................................................................... 514

Contents

18

17.3.3 Bypass Analytic Privileges ................................................................................. 515

17.3.4 Default Standard Roles ...................................................................................... 518

17.3.5 WITH GRANT or WITH ADMIN ......................................................................... 519

17.4 Disabling the SYSTEM Account ..................................................................................... 520

17.5 Identify Privilege Escalation Vulnerabilities ........................................................... 521

17.6 Handover from Hardware Vendors ............................................................................. 522

17.7 Create Audit Policies .......................................................................................................... 523

17.8 Summary ................................................................................................................................. 523

18 SAP HANA 2.0 Security 525

18.1 Authorizations ...................................................................................................................... 525

18.1.1 Granting or Revoking the PUBLIC Role .......................................................... 525

18.1.2 Granting or Revoking Access to a User’s Own Schema ........................... 526

18.1.3 Map LDAP Groups to SAP HANA Roles .......................................................... 527

18.2 Encryption .............................................................................................................................. 527

18.2.1 Log Volume Encryption ...................................................................................... 527

18.2.2 Root Key Backup and Password ...................................................................... 527

18.2.3 Using SQL to Update All Encryption Keys .................................................... 528

18.3 XS Engine Applications and Roles ................................................................................ 528

18.4 SAP HANA 2.0 Cockpit ....................................................................................................... 529

18.5 Summary ................................................................................................................................. 529

The Author ............................................................................................................................................ 531

Index ........................................................................................................................................................ 533

533

Index

A

ABAP Workbench .................................................. 453

Accessible views .................................................... 497

ACID compliance ..................................................... 30

Active Directory .......................................... 376, 391

Administration console ........................................ 57

Administration console perspective ............... 59

Administration editor ........................................ 488

Analytic privileges .... 68, 77, 148, 190, 193, 215,

217, 226, 244, 317, 344, 469

bypassing ............................................................ 515

default .................................................................. 325

filters ..................................................................... 321

granting ............................................................... 352

management window .................................... 328

overview ............................................................... 320

repository roles ................................................. 355

SAP HANA Studio ............................................. 353

SAP HANA Web-Based Development

Workbench ..................................................... 354

search .................................................................... 359

SQL ......................................................................... 352

SYS_BI_CP_ALL ................................................. 516

troubleshooting ................................................ 351

Analytic views ................................................. 77, 318

Application function library (AFL) .................... 34

Application privilege objects ........................... 363

Application privileges .... 79, 140, 185, 217, 229,

361, 366, 371

creation ................................................................ 362

creation guide ................................................... 364

granting ............................................................... 364

SAP HANA Studio ............................................. 365


Workbench ..................................................... 366

SQL ......................................................................... 364

within repository roles ................................... 367

Application-access file ........................................ 363

Application-privileges file ................................. 362

Atomicity, consistency, isolation, and

durability (ACID) ................................................. 30

Attribute data ......................................................... 317

Attribute views ............................................... 77, 318

Audit action status ............................................... 469

Audit actions view ................................................ 478

Audit data ................................................................ 477

Audit level trail targets ....................................... 459

Audit levels .................................................... 459, 470

Audit log data ......................................................... 456

Audit log database table .................................... 460

Audit log targets ................................................... 464

Audit log view ........................................................ 478

Audit operator ....................................................... 244

Audit operator system privilege .................... 513

Audit policies ............................. 465, 472, 479, 523

audit trail target .............................................. 471

components ....................................................... 466

creation ....................................................... 474, 476

management ............................................ 471, 473

SAP HANA Studio ............................................. 476

SQL ......................................................................... 475

target objects ............................................ 470, 473

target user .......................................................... 470

Audit policies view ............................................... 478

Audit reporting ..................................................... 480

Audit rule ................................................................. 459

Audit trail ................................................................. 464

Auditing ......................................... 51, 434, 455, 488

all actions ............................................................ 466

backup deletion ................................................ 466

benefits ................................................................. 455

case study ........................................................... 479

certificate and PSE store ............................... 466

configuration .................................................... 457

data definition .................................................. 466

data provisioning ............................................ 467

data query and manipulation .................... 467

data volume encryption ............................... 467

granting and revoking authorizations ... 467

LDAP provider manager ............................... 468

license deletion ................................................. 468

license installation .......................................... 468

monitoring ......................................................... 456

regulatory compliance .................................. 456

repository content operations .................... 468

Index

534

Auditing (Cont.)

SAP HANA dynamic tiering ......................... 468

SAP HANA Studio ............................................. 457


Workbench .................................................... 461

session management and system

configuration ............................................... 468

SQL ......................................................................... 463

structured privileges management .......... 469

user and role management ......................... 469

Authentication ................................... 115, 375, 404

auditing ............................................................... 480

case study ........................................................... 400

Authorization component ............................... 487

Authorization trace .................................... 487, 490

configuration .................................................... 490

Authorization validation ..................................... 82

Authorizations ............................................. 115, 375

catalog object-level ......................................... 277

grantable to others ......................................... 276

schema-level ...................................................... 277

B

Backup admin system privilege ..................... 247

Basis administrator ................................................ 90

Business Function Library (BFL) ........................ 28

C

Calculation views ........................................... 77, 319

CASCADE option ................................................... 130

Case studies ............ 108, 155, 234, 262, 292, 311,

400, 479, 504

Catalog object access ........................................... 177

Catalog object privileges ........ 76, 136, 181, 270,

291–292

Catalog objects ..... 75, 85, 99, 269, 277, 285, 287,

499

case study ........................................................... 108

creatopm ................................................................ 93

securing ............................................................... 282

security ................................................................ 275

Catalog read system privilege ......................... 252

Catalog schema privileges ....................... 134, 180

Catalog schemas ........................... 89–90, 270, 288

Catalog sequence .................................................. 275

Catalog stored procedures ....................... 273, 278

Catalog tables ................................................ 271, 283

creation .................................................................. 91

Catalog views ......................................... 93, 272, 278

Central processing unit ........................................ 29

Certificate admin ................................................... 244

Certificate collection .................................. 404, 406

Certificate keys ....................................................... 409

Certificate management .......................... 403, 407

external ................................................................ 408

Certificate store ...................................................... 405

Certificates ............................................................... 404

configuration ..................................................... 412

Change recording .................................................. 452

Change tracking ..................................................... 452

Child objects .............................................................. 76

referenced .............................................................. 81

Client certificate .................................................... 397

Compile server ......................................................... 34

Consumer role ........................................................ 292

Content vendor ............................................ 100–101

CONTENT_ADMIN role ....................................... 518

CPU ................................................................................ 29

Create scenario system privilege .................... 247

Create schema .......................................................... 74

CREATE statement ................................................ 200

Create users ............................................................. 164

CSV file ................................................... 158, 459, 464

D

Data admin system privilege ................. 248, 512

Data and communication encryption

role ......................................................................... 265

Data Definition Language (DDL) ..................... 512

Data encryption ..................................................... 423

Data source name (DSN) .................................... 417

Data volume encryption ................... 51, 424, 467

SAP HANA Studio ............................................. 424

SQL ......................................................................... 424

Database accounts ................................................ 522

Database forensics ................................................ 457

Database objects ...................................... 75, 85, 204

Database roles ........................................................ 167

consistency .......................................................... 170

standard ............................................................... 168

Database store ........................................................ 405

Database views ......................................................... 77

DBA_COCKPIT role ............................................... 169

535

Index

Default roles ............................................................ 518

Definer mode .................................................. 82, 278

Delivery units ......... 100, 102, 204, 242, 297, 429

assign packages ...................................... 103, 441

creation ................................................................ 434

export options ................................................... 448

export to file ....................................................... 448

import ................................................................... 106

import from file ................................................ 449

management window .......................... 103, 436

overview ............................................................... 300

packages .............................................................. 436

SAP HANA application lifecycle

management ................................................ 438

SAP HANA Studio ............................................. 435

Design-time objects .............. 88, 94, 99, 214, 223

Design-time repository objects ...................... 215

Design-time schemas .......................................... 213

Design-time scripts ........ 170, 205, 307, 356, 368

Design-time stored procedure ........................ 343

Developer repository role ................................. 295

Development (DEV) ............................................. 428

Development artifacts ....................... 82, 204, 302

Development objects ............................................. 65

Development perspective ............................. 60, 71

Development repository ................................... 297

structure .............................................................. 297

Dimensional calculation views ....................... 319

DU

transport ............................................................. 443

Dynamic analytic privileges ................... 320, 322

management ..................................................... 334

Dynamic expression-based SQL analytic

privileges ............................................................. 325

definition ............................................................. 348

management ..................................................... 344

mapping table ................................................... 345

Dynamic random-access memory

(DRAM) .................................................................... 29

Dynamic SQL-based analytic privileges ..... 324,

336

Dynamic XML-based analytic privileges ..... 334

E

Effective privileges ............................................... 148

Effective roles ......................................................... 154

Encrypting data ..................................................... 419

Encryption ...................................................... 403, 511

settings ................................................................. 412

Encryption root key admin .............................. 245

Encryption root keys ........................................... 523

Event auditing ....................................................... 485

Event monitoring ................................................. 479

Events .............................................................. 459–460

Export system privilege ..................................... 249

Expression editor interface .............................. 350

External authentication .................................... 376

F

Federated identity system ................................ 393

Filter conditions ................................. 329, 340, 498

troubleshooting ................................................ 351

Filter criteria ........................................................... 322

Filter expressions ........................................ 325, 350

Filters ......................................................................... 321

Functions .................................................................... 87

G

Geospatial engines .................................................. 28

Grant procedure .................................................... 232

GRANT statement ................................................. 199

Granted privileges ................................................ 495

Granted roles ................................................. 187, 496

Grantee management ........................................ 304

Grantor ..................................................... 73, 171, 202

Graphical analytic privilege objects .............. 324

H

HTTP communication encryption ................ 409

HTTP/HTTPS ........................................................... 377

I

Identity provider (IdP) ........................................ 393

Import job ................................................................ 451

Import or export privilege ................................... 74

Import system privilege .................................... 249

Imported package privileges .................... 79, 301

Inactive user accounts ........................................ 382

Index

536

Including repository roles ................................ 312

In-database certificate management ........... 404

Index ............................................................................. 87

Index server ............................................................... 33

Information models ............................................ 329

Information views ........... 66, 317, 327, 332, 343,

350, 504, 516–517

analytic privilege checks ............................... 517

overview .............................................................. 317

Inheritance .............................................................. 302

INI settings .............................................................. 377

INIFILE admin system privilege ..................... 514

In-memory database .............................................. 28

Input parameter .................................................... 151

Instance SSFS .......................................................... 420

Internal database table ....................................... 458

Invoker mode .................................................. 82, 278

J

Java Database Connectivity (JDBC) ............ 35, 46

JDBC ........................................................ 169, 377, 416

driver ..................................................................... 418

K

Kerberos ................................................ 375, 390, 392

Kerberos authentication ...................................... 44

Kerberos identity .................................................. 510

Key distribution center (KDC) ......................... 390

Knowledge Base Articles (KBA) ....................... 391

L

LDAP .......................................................................... 376

LDAP system .......................................................... 158

Licenses .................................................................... 468

Lifecycle management ....................................... 170

Linux syslog ................................................... 458, 464

Lockout policy ....................................................... 509

Log volume encryption ............................ 423, 425

M

Mapping data ......................................................... 338

Master data ............................................................. 318

Modeler perspective ..................................... 66, 102

Modeling objects ..................................................... 67

MODELING role ............................................ 168, 519

Multidimensional modeling ............................ 319

N

Name server .............................................................. 34

Native catalog objects ........................................... 85

Native package privileges ................. 79, 301–302

Nested roles ................................................... 167, 194

Network hops ......................................................... 412

O

OASIS .......................................................................... 393

Object ownership ........................................... 76, 277

Object privileges ..... 75, 143, 148, 189, 193, 214,

223, 269

case study ............................................................ 292

overview ............................................................... 269


SAP HANA Studio ............................................. 284

SQL ......................................................................... 279

Objects ............................................................. 310, 318

ODBC ...................................................... 169, 377, 416

data source administrator ........................... 417

ODBC/JDBC access ................................................ 118

ODBC/JDBC connectivity ................................... 526

Online transaction processes (OLTP) .............. 28

Open Database Connectivity (ODBC) .............. 35

P

Package hierarchy ............ 99, 109, 156, 291, 298,

312–313, 327, 356, 416

Package privileges ............ 78, 140, 146, 148, 186,

191, 193, 218, 227, 297, 314

case study ............................................................ 311

granting ............................................................... 303

overview ............................................................... 301

SAP HANA Studio ............................................. 304


Workbench ..................................................... 305

SQL ......................................................................... 303

Packages ......................................... 49, 206, 297, 310

creation ................................................................ 298

Parent objects ........................................................... 81

537

Index

Parent schemas ........................................................ 76

Part of roles ............................................................. 188

Password manager ............................................... 510

Password policy ........................................................ 51

configuration ..................................................... 377

manage settings ............................................... 383

SAP HANA Studio configuration ............... 384

SAP HANA Studio security manager ........ 386


Workbench ..................................................... 388

security settings ................................................ 377

Passwords ...................................................... 115, 122

authentication ........................................ 375, 507

blacklist ................................................................ 387

change initial ..................................................... 379

complexity ................................................ 378, 508

encryption ........................................................... 376

expiration ............................................................ 383

failed logon attempts ..................................... 380

initial ..................................................................... 509

length .................................................................... 378

lifetime ....................................................... 381, 508

lock time .............................................................. 381

policies .................................................................. 507

reuse ...................................................................... 508

reuse settings ..................................................... 380

special characters ............................................ 379

update .................................................................. 165

Personal security environment

(PSE) ............................................................. 404, 406

Personal security environment (PSE)

files ......................................................................... 409

in-database ......................................................... 407

manage certificates ........................................ 406

management options ..................................... 411

Perspectives ............................................................... 58

Planning engines ..................................................... 28

Power user role ...................................................... 293

Predictive Analytics Library (PAL) .................... 28

Preprocessor server ................................................ 34

Privilege escalation vulnerabilities ............... 521

Privilege grantees ................................................. 498

Privilege types ........................................................ 209

Privileges .............. 35, 73, 124, 177, 202, 311, 501

assignment .................................................. 80, 208

granting and revoking ......................... 133, 176

Privileges (Cont.)

granting to roles .............................................. 176

modification ...................................................... 284

SAP HANA Studio ............................................. 187


Workbench ..................................................... 192

SQL ......................................................................... 178

validation ............................................................... 81

Privileges on users ...................................... 361, 372

SAP HANA Studio ............................................. 372

SQL ......................................................................... 373

Product availability matrix (PAM) .................... 31

Production (PROD) ............................................... 428

Profitability Analysis (CO-PA) ......................... 318

Provisioning users case study ......................... 155

Public key infrastructure (PKI) ............... 396, 403

PUBLIC role ............................................................. 169

Q

Quality assurance (QA) ....................................... 428

R

Relational database management system

(RDBMS) .............................. 28, 85, 118, 199, 361

Remote source catalog object privileges ..... 216

Remote source privileges .................................. 141

Remote sources .................................. 139, 184, 274

REPO.READ privileges ......................................... 314

Repository analytic privileges ................ 139, 185

Repository catalog objects .................. 85, 94, 136

Repository object privileges .................... 136, 182

Repository objects ............................. 117, 203, 279

deployment ........................................................ 100

Repository role scripts ....................................... 221

Repository roles ... 150–151, 194, 199, 203, 205,

257, 286, 308, 358, 367, 433

benefits ................................................................. 203

case study ........................................................... 234

consumer ............................................................ 235

creation ....................................................... 206, 234

dependencies ..................................................... 438

developer ............................................................. 236

granting ............................................................... 231

granting and revoking ................................... 211

Index

538

Repository roles (Cont.)

management ............................................ 205, 218

power user .......................................................... 236

revoking ............................................................... 232

security administrator ................................... 238

sync ....................................................................... 432

Repository schema privileges ...... 135, 180, 213

Repository schemas ............... 109, 135, 156–157

creation ................................................................... 95

creation syntax .................................................... 97

Repository tables .................................. 94, 112, 157

creation ................................................................... 98

Repository workspace ........................................... 62

navigating packages ......................................... 64

Repository-based model .................................... 201

Repository-based objects .................................. 178

Repository-based roles .................... 233, 307, 361

Repository-based stored procedure .... 162, 339,

400

Repository-based table ....................................... 338

creation ................................................................ 346

Restricted user accounts ................................... 118

Revoke privileges .................................................. 283

REVOKE statement .............................................. 199

ROLE ADMIN privilege ....................................... 203

Role admin system privilege ........................... 513

Role grantees .......................................................... 502

Role management ................................................... 71

Role management role ....................................... 264

Role name tag ........................................................ 207

Roles ............. 52, 80, 149, 167, 199, 221, 370, 503

creation and management .......................... 171

design-time version ........................................ 200

extensions ........................................................... 208

granting ............................................................... 153

SAP AHAN Studio ............................................. 152

SAP HANA Studio ............................................. 172


Workbench ........................................... 154, 174

SQL ......................................................................... 150

SQL statements ................................................. 171

Root key backup (RKB) ....................................... 528

Root keys ......................................................... 421, 423

generation .......................................................... 421

Root package privileges ............................ 307, 514

Row-level security ......................................... 78, 320

rules engines ............................................................. 28

Runtime ................................................................... 199

Runtime objects ........................................... 214, 223

Runtime repository roles ................................... 210

Runtime schemas ................................................. 212

S

SAML ............................................. 375, 393, 395, 402

additional resources ........................................ 394

SAML identity providers ...................................... 51

SAP assertion tickets ............................................ 399

SAP Business Warehouse (SAP BW) ................. 73

SAP BusinessObjects ............................................ 393

SAP BusinessObjects BI ....................................... 393

SAP BusinessObjects Lumira .............................. 33

SAP Change and Transport System

(SAP CTS) .................................................... 452–453

SAP HANA ............................ 27, 199, 335, 393, 404

audit policies ...................................................... 510

bottom-up approach ........................................ 82

code development .............................................. 61

connecting ............................................................. 43

development repository ....................... 201, 297

hardware ................................................................ 31

hardware layers .................................................. 29

in-memory database ......................................... 28

instance ........................................................... 44, 63

instance number ................................................. 43

internal authentication ................................. 376

multinode .............................................................. 30

nodes ....................................................................... 30

overview ................................................................. 27

package repository ................................ 204, 362

privileges ................................................................ 73

RDBMS catalog .................................................... 99

repository .............................................................. 96

security model ..................................................... 27

security overview ................................................ 35

security recommendations ........................... 507

software appliance ............................................ 28

software layers .................................................... 28

transport system .............................................. 442

SAP HANA 1.0 ......................................................... 318

SAP HANA 1.0 SPS 11 ....................... 171, 319, 362

SAP HANA 1.0 SPS 12 .................................... 32, 172

SAP HANA 2.0 ............................ 318, 362, 421, 525

authorizations ................................................... 525

encryption ........................................................... 527

539

Index

SAP HANA 2.0 (Cont.)

LDAP group membership .............................. 527

log volume encryption ................................... 527

PUBLIC role ......................................................... 525

roles ....................................................................... 528

root key backup ................................................ 527

security ................................................................. 525

SAP HANA 2.0 Cockpit .............. 34, 457, 463, 529

SAP HANA 2.0 SPS 00 ....... 32, 215, 319, 376, 425

SAP HANA application lifecycle

management ..... 243, 301, 427–428, 439, 443

additional options ........................................... 452

additional resources ....................................... 442

change recording ............................................. 452

pull method ........................................................ 443

transport management window ............... 444

SAP HANA Cockpit ............................................... 362

SAP HANA dynamic tiering .............................. 468

SAP HANA modeler .............................................. 169

SAP HANA repository ......................................... 301

SAP HANA smart data access (SDA) ..... 216, 274

SAP HANA smart data integration ................. 216

SAP HANA Studio ..... 39, 88, 118, 131, 190, 195,

205, 232, 276, 286, 304, 320, 326, 331, 346, 395,

448–449

backup folder ........................................................ 48

catalog folder ....................................................... 48

certificate trust store ......................................... 47

client encryption .............................................. 412

configuration tab ................................................ 72

content folder ....................................................... 49

enable auditing ................................................. 457

enable tracing ................................................... 488

getting started ...................................................... 41

GUI ............................................................................ 91

initial launch ......................................................... 42

keystore ................................................................ 413

management interface .................................. 365

managing tabs ..................................................... 55

minimum privileges ........................................ 436

navigation ............................................................. 47

overview .................................................................. 40

perspectives ........................................................... 58

privileges ............................................................. 141

provisioning folder ............................................. 50

role deletion ....................................................... 173

role management interface ......................... 353

security folder ....................................................... 51

SAP HANA Studio (Cont.)

security settings .................................................. 70

supported operating system .......................... 40

switching perspectives ...................................... 68

user management area ................................. 141

viewing trace files ............................................ 493


Workbench ..................... 88, 119, 124, 132, 146,

196, 218, 234, 289, 308, 368, 471

enable auditing ................................................ 461

navigation .......................................................... 219

SAP HANA Web-Based Development Work-

bench editor ................. 200, 205, 220, 258, 356

SAP HANA XSA ......................................................... 28

SAP Landscape Transformation ..................... 280

SAP logon tickets ........................................ 397–398

SAP NetWeaver ............................................... 73, 510

SAP NetWeaver Application Server ............... 397

SAP system ID ........................................................... 47

SAP Web Dispatcher ......................... 396, 410, 412

SAP Web IDE .................................................... 34, 362

Savepoints ............................................................... 420

Schema nodes ........................................................... 92

Schema object privileges ...................................... 75

Schema objects ......................................................... 86

Schema prefix ........................................................ 172

Schema privileges ....................................... 212, 282

granting multiple ............................................ 281

revoking multiple ............................................ 282

Schema-level access ............................................. 177

Schemas ............................................ 48, 75, 269, 283

creation ................................................................... 88

SQL ......................................................................... 280

Script server ............................................................... 34

Script-based repository roles .................. 258, 287

Secure Shell (SSH) ................................................. 422

Secure Sockets Layer (SSL) ......................... 46, 403

Secure store in the file system (SSFS) ........... 420

Secured models ..................................................... 320

Security console ............................................. 71, 462

Security lifecycle management ...................... 427

best practices ..................................................... 428

content packages ............................................. 429

multiple environments .................................. 428

role dependencies ............................................ 430

rollback plan ...................................................... 430

test and validate .............................................. 429

Index

540

Security management task auditing ............ 483

Security manager ................................................. 125

Security model ...................................... 36, 167, 427

test plans ............................................................. 432

testing changes ................................................. 430

tracking changes .............................................. 430

validating ............................................................ 431

Security model dependencies ......................... 100

Security packages .......................................... 66, 442

Security tracing ..................................................... 487

Sensitive data ............................................................ 37

Sequences ......................................................... 86, 275

Server-side data encryption ............................. 420

Service accounts ................................................... 510

Service provider (SP) ........................................... 393

Simple and Protected GSSAPI Negotiation

Mechanism (SPNEGO) ................................... 391

Single sign-on (SSO) .......................... 375, 396, 509

Software provisioning manager ........................ 90

SQL .............................................................................. 194

SQL console ............ 69, 71, 91, 133, 178, 231, 280

SQL privileges ........................................................... 75

SQL statements ............................................ 133, 364

SQL-based analytic privileges .................. 77, 320,

323, 332

SQL-based dynamic analytic privileges ...... 343,

349

defining ................................................................ 341

mapping table ................................................... 336

SQLScript ............................................... 335, 340, 372

SSL access ................................................................. 438

SSL certificates .............................................. 403, 417

SSL communications .......................................... 417

SSL encryption .............................................. 413, 416

SSL protocols .......................................................... 403

SSL secured connection ..................................... 418

Standard calculation views ............................... 319

Standard roles ............................................... 150, 194

Standard user accounts ...................................... 116

application accounts ..................................... 116

individual accounts ........................................ 116

service accounts ............................................... 116

Standard users ....................................................... 507

Star join calculation views ................................ 319

Static analytic privileges ........ 320, 322, 326, 332

Static filter condition ........................................... 345

Static SQL-based analytic privileges .............. 324

creation ................................................................ 331

Static XML-based analytic privileges ............. 330

creation ................................................................ 326

Stored procedure ................... 82, 87, 93, 151, 161,

165, 179, 231, 337, 344

configuration ..................................................... 334

Structured privileges ... 137–138, 183, 215, 354,

499

creation ................................................................ 244

Subcatalog objects .................................................. 49

Subpackages .................................................. 298, 438

creation ................................................................ 298

Synonyms .................................................................. 86

SYS schema .................................................... 126, 172

_SYS_BI_CP_ALL .................................................... 325

_SYS_BIC schema .................................................. 517

_SYS_REPO ... 69, 85, 94, 117, 145, 178, 190, 200,

202, 244, 277, 279, 288, 300, 512

SYS_REPO .................................... 211, 233, 337, 354

SYS_REPO schema ................................................ 352

Syslog ......................................................................... 458

SYSTEM account ................................... 43, 117, 520

System account ........................................................ 73

System auditing role ............................................ 266

System change auditing ..................................... 482

System privileges ... 74, 133, 142, 147, 179, 188,

193, 211, 222, 241, 261, 408, 512

case study ............................................................ 262

default ................................................................... 242

definition ............................................................. 241

developer-related ............................................. 242

environment monitoring-related .............. 252

granting ............................................................... 253


revoking ............................................................... 257

SAP HANA Studio ............................................. 254


Workbench ..................................................... 256

security admin-related ................................... 243

SQL ......................................................................... 253

system admin-related ..................................... 246

System users ........................................................... 522

System utilization ................................................. 456

541

Index

T

Table types ............................................................... 335

Tables ........................................................ 86, 282, 318

Tailored Datacenter Integration (TDI) ... 32, 522

TCP/IP connectivity port ...................................... 34

TCP/IP packets ............................................. 404, 412

TCP/IP port .............................................................. 445

Technical user accounts ..................................... 117

Third-party authentication ............................... 389

Trace

deletion ................................................................ 491

disable .................................................................. 492

Trace file ......................................................... 418, 493

Trace file viewer .................................................... 494

Trace level ................................................................ 492

Transport Layer Security (TLS) .............. 403, 511

Transport route ..................................................... 446

Triggers ........................................................................ 86

Troubleshooting ................................................... 487

case study ............................................................ 504

U

User accounts ............................................... 115, 142

authentication .................................................. 400

creation and management .......................... 119

default settings ................................................. 121

deletion ................................................................ 129

SAP HANA Studio ............................................. 121

SQL statements ................................................. 120

system views ...................................................... 126

User admin system privilege ........................... 512

User attributes ............................................. 126, 129

User credentials ..................................................... 375

User management ................................................... 70

User management role ....................................... 262

User roles

assignment ......................................................... 149

User schemas ............................................................. 76

User traces

SQL configuration ............................................ 491

User-specific trace ................................................ 487

V

Validity period ....................................................... 329

Views ............................................................................ 86

W

Workspaces ................................................................ 41

X

X.509 ....................................................... 375, 396, 403

X509 certificate ..................................................... 120

XML-based analytic privileges ........ 77, 320, 517

stored procedure .............................................. 337

XML-based dynamic analytic privileges ..... 336

mapping table ................................................... 334

stored procedure .............................................. 335

XS Artifact Administration ............................... 415

XS engine ..... 28, 33, 39, 119, 234, 377, 397, 409,

414, 428

web-based applications ................................ 415

XSA engine ................................................................. 33

First-hand knowledge.

We hope you have enjoyed this reading sample. You may recommend or pass it on to others, but only in its entirety, including all pages. This reading sample and all its parts are protected by copyright law. All usa-ge and exploitation rights are reserved by the author and the publisher.

Jonathan Haun currently serves as a director within Proti-viti’s Data and Analytic Group. Over the past several years, he has had the opportunity to help several clients imple-ment solutions using SAP HANA. In addition to being certi-fied in multiple SAP BusinessObjects BI tools, he also holds the certifications of SAP Certified Application Associate - SAP HANA 1.0, SAP Certified Technology Associate - SAP

HANA 1.0 and SAP Certified Technology Specialist - SAP HANA Installations.

Jonathan has worked in the field of business intelligence and database admi-nistration for more than 14 years. During this time, he has gained invaluable experience helping customers implement solutions using the tools from the SAP BusinessObjects BI and SAP HANA product lines. Before working as a full-time SAP consultant, he worked in a variety of information technology ma-nagement and administrative roles. His combination of experience and wealth of technical knowledge make him an ideal source of information pertaining to SAP BusinessObjects BI and SAP HANA. You can follow Jonathan on Twitter at @jdh2n or visit his blog at http://sapbi.blog.

Jonathan Haun

SAP HANA Security Guide541 Pages, 2017, $79.95 ISBN 978-1-4932-1441-9

www.sap-press.com/4227

https://www.sap-press.com/sap-hana-security-guide_4227/#utm_source=AWS&utm_medium=readingsample&utm_campaign=Browse%20the%20Book&utm_content=1441

Date post:	06-Feb-2018
Category:	Documents
Upload:	vuongdan
View:	220 times
Download:	3 times

SAP HANA Security Guide - Amazon S3 · PDF fileReading Sample This sample chapter describes...

Documents